[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Antoine Pitrou solipsis at pitrou.net
Mon Jun 3 23:41:19 CEST 2013

On Mon, 3 Jun 2013 22:31:40 +0100
Paul Moore <p.f.moore at gmail.com> wrote:
> > Some legit sites with proper
> > certificates still manage to muck something up administratively
> > (developer.quicksales.com.au has a cert from RapidSSL but doesn't
> > bundle the intermediates, and I've told their devs about it, but all I
> > can do is disable cert checking). This will break code in ways that
> > will surprise people greatly. But I'd still rather the default be
> > True.
> >
> I'm happy if the "will cease to work" clause only says "some sites with
> broken security configurations may stop working" with a clear explanation
> that it is *their* fault, not Python's. I'd also expect that the same sites
> would fail in browsers - if not, we should also be able to make them work
> (or face cries of "well, Internet Explorer/Firefox doesn't have a problem
> with my site, why does Python?").

Keep in mind that not every HTTPS service is a Web site that is meant
to be readable with a browser. Some are Web services, possibly internal,
possibly without a domain name (and, therefore, probably a non-matching
certificate subject name).



More information about the Python-Dev mailing list